-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 GPG Signing Policy ================== Preamble - - -------- This policy is valid for all signatures made by the following GnuPG keys: pub 4096R/0xD33C05E67208993D 2014-08-10 [expires: 2015-08-10] Key fingerprint = 2ED4 44BD 3AD0 D2C8 97D2 D273 D33C 05E6 7208 993D uid [ultimate] Benedikt FRENZEL uid [ultimate] Benedikt FRENZEL uid [ultimate] Benedikt Frenzel uid [ultimate] [jpeg image of size 1018] sub 2048R/0xF3189AFC75FE20E7 2014-08-10 [expires: 2015-08-10] sub 4096R/0xC8345D7E234BA447 2014-08-10 [expires: 2015-08-10] sub 4096R/0x6A962DD950C0BAB3 2014-08-10 [expires: 2015-08-10] These keys will always be available on this page[0], but the most current versions can usually be fetched from keyserver hkp://keys.gnupg.net [1]. This policy was originally written on 2014-08-22 and will be followed from this date on but it may be replaced with a new version at any time. Content and structure of this document are strongly based on the OpenPGP Key Signing Policy of Andres J. Diaz[2] but have been slightly modified from the original sources. Location - -------- I live in Heidenheim (Germany) and I am open to sign keys at any time. The easiest way for verifying keys would be to write me an e-mail and arrange a meeting in the area around Heidenheim. Another opportunity to get in personal contact would be to address me at certain computer related fairs. Prerequisites for signing - ------------------------- - The signee (the key owner who wishes to obtain a signature to his/her key from me, the signer) must make his/her OpenPGP key available on a publicly accessible keyserver (see above for example keyservers). - The signee's key schould have at least a key size of 2048 bits. - The signee must prove his/her identity to me by way of a valid identity card or driving licence. These documents must feature a photographic picture of the signee. No other kind of documents will be accepted. This also implies that the signee's key must feature his/her real name in order to be checked up on his/her identity card. A key which only contains a pseudonym will not be signed. - For people from outside the European Union I will check both of these two tokens (since I cannot assess their risk of fraud). Exceptions may be made if there is a good reason for me to do so. The signee should have prepared a strip of paper with a printout of the output: ~ gpg --fingerprint 0x12345678 (or an equivalent command if the signee does not use GnuPG) where 0x12345678 is the key ID of the key which is to be signed. A handwritten piece of paper featuring the fingerprint and all UIDs the signee wants me to sign will also be accepted. The above must take place under reasonable circumstances (i.e. ourselves not being in a hurry, exchanging key data at a calm place and so on). The act of signing - ------------------ After having received (or exchanged) the proof detailed in the above I will sign the signee's piece of paper myself to avoid fraud. At home I will sign the UIDs which I was asked to sign. Each signature will then be mailed separately to the corresponding mail address of the single UIDs. Depending on the character of the key which is to be signed by me I will use different levels of signatures: Levels of signatures - -------------------- Here are the levels of trust that I can give to my signatures: Level 3: A level of 3 is given to sign-and-encrypt keys: I have met the signee, I have verified his/her identity card and fingerprint and I was able to send my signatures encrypted with the corresponding key of the signee. These signatures are the strongest in my web of trust. Photographic UIDs are also going to be signed with a level of 3 if I can still remember the signee's face when I will be back at home. Level 2: A level of 2 is given to sign-only keys. It is not clear to determine if the owner of the mail account is the same as the key owner because encryption cannot be used, hence the signatures only receive a lower level of 2. Level 1: A level of 1 will never be used by me for it weakens the web of trust in my opinion. I have never signed keys without appropriate verification and I will never do so in the future. Level 0: A level of 0 is given to keys of Certification Authorities since in most cases the key owner is a whole organization and not a single person. Usually the fingerprints of those keys have to be verified by getting them from the corresponding website of the CA and cannot be checked by exchange with a member of the CA who is in charge. These signatures are the weakest in my web of trust. [0] http://bfr.sdf.org/gnupg/pub.asc [1] http://keys.gnupg.net/ [2] http://ajdiaz.wordpress.com/gpg-signing-policy/ -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJT95IQAAoJEMg0XX4jS6RHikIQANQX4iPyUgx38fRg9NQ3R9uA hsoIHT1SbR8TD7QZo4EH2pKPHuc9ZyfOnfnzjkid3GjozuAvWnOd8RdUySp1HIYc 6AXZtgnKXniRy8v2TIBtBj9DRjcVrfI/8MVuYKYIhCEALJzt2TKwhMIE2WXtraOw tYydjUhg7fWdS/h1SDuFUS4BWWupCOihJaGPxlDrRL0Oj1Nab0NvBlMHRVHqW27o ZOR81QoHfKMhfcQu4fINdod9dycw4GZDFob+ka+EFUsxg/nuvTXmhBgRTl/ZQLe1 lDvLqspnsdosfbSw4yeziLbXaEPkWYmUS1MpZcqxTcPMzh3Eb7SEZQ2i+M7QYR3O YJB471Y/FyVw7APATFPJ6+5jzX0C9AZCjoTsWxn8xPzkOo41QtjH2ogdw64QGBay 3r9v5isMAHxq9chAf2KjS7RbSoi1QhmhwQFTp5KnEiMqpGhvL+zWUo9joB0zFLGL Bhtj0/aaUQnjI9offMC8sndIVErjHS2jTG1Rcfl6N7p0l9IqfY1FE6z0VGqwMviS HaRNRUZL/FgyO8i7+IY/YJlx5eAQM5xJ9DFDPceWJYqJ4wJ4qe51q8wy6qmV2lyY Nd3BHokAhXPIxs5cm6ovmTuSlV6zDIqhGVbV261TySHVnKzzY0BjmkhOYEZS261n AiOD3VzfJsbQkH5m8N8g =9lX6 -----END PGP SIGNATURE-----